CN108566344B - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN108566344B
CN108566344B CN201810223650.0A CN201810223650A CN108566344B CN 108566344 B CN108566344 B CN 108566344B CN 201810223650 A CN201810223650 A CN 201810223650A CN 108566344 B CN108566344 B CN 108566344B
Authority
CN
China
Prior art keywords
message
flow table
entry
messages
unknown
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810223650.0A
Other languages
Chinese (zh)
Other versions
CN108566344A (en
Inventor
宋小恒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201810223650.0A priority Critical patent/CN108566344B/en
Publication of CN108566344A publication Critical patent/CN108566344A/en
Application granted granted Critical
Publication of CN108566344B publication Critical patent/CN108566344B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing

Abstract

The application provides a message processing method and a device, and the method comprises the following steps: after receiving a first message matched with a default flow entry, sending a control message to a controller, wherein the control message carries the first message and attack parameters of all messages matched with the default flow entry within a preset time; receiving and storing an unknown discarding flow table item sent by a controller; the unknown discarding flow table entry is sent when the controller determines that the network device is attacked according to the attack parameter, and the unknown discarding flow table entry is used for discarding a message with a source address which is a source address and a destination address which are not hit in the first message; and after receiving a second message matched with the unknown discarding flow table item, discarding the second message. According to the technical scheme, the controller is prevented from generating a large number of flow table items in a short time, so that the CPU resource of the controller and the CPU resource of the network equipment are saved, the burden of the network equipment and the controller is reduced, and the reliability and the stability of the network are improved.

Description

Message processing method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a packet.
Background
The SDN (Software Defined Network) is a novel Network architecture, and the core idea of the SDN is to separate a control layer and a forwarding layer of Network equipment, and to perform centralized and flexible control on Network traffic through an SDN controller, thereby providing a good platform for innovation of a core Network and application.
In the SDN, a host suspended from a network device may send a packet to the network device, and after receiving the packet, the network device encapsulates the packet into a packet-in message if the packet matches a miss flow entry, and sends the packet-in message to an SDN controller. After receiving the packet-in message, the SDN controller generates a forwarding flow table entry according to the packet-in message, issues the forwarding flow table entry to the network device, and after receiving the forwarding flow table entry, the network device forwards the message according to the forwarding flow table entry.
However, when a host hung on a network device attacks, a large number of unknown messages with destination addresses changed are sent, and these unknown messages may all match with the miss flow table entries, so that the network device sends a large number of packet-in messages to the SDN controller, and the SDN controller generates a large number of forwarding flow table entries in a short time, and consumes a large number of CPU (Central Processing Unit) resources of the SDN controller. Moreover, the network device also needs to process a large number of forwarding flow entries, which consumes a large amount of CPU resources of the network device.
Disclosure of Invention
The application provides a message processing method, which is applied to network equipment and comprises the following steps:
after receiving a first message matched with a default flow entry, sending a control message to a controller, wherein the control message carries the first message and attack parameters of all messages matched with the default flow entry within a preset time;
receiving and storing an unknown discarding flow table item sent by a controller; the unknown discarding flow table entry is sent when the controller determines that the network device is attacked according to the attack parameter, and the unknown discarding flow table entry is used for discarding a message with a source address which is a source address and a destination address which are not hit in the first message;
and after receiving a second message matched with the unknown discarding flow table item, discarding the second message.
The application provides a message processing method, which is applied to a controller and comprises the following steps:
receiving a control message sent by a network device, wherein the control message carries a first message matched with a default flow table item of the network device and attack parameters of all messages matched with the default flow table item within a preset time;
if the network equipment is determined to be attacked according to the attack parameters, sending an unknown discarded flow entry to the network equipment, wherein the unknown discarded flow entry is used for discarding the messages with the source addresses being the source addresses and the destination addresses of the first messages which are not hit; and the network equipment discards the second message matched with the unknown discarding flow table entry.
The application provides a message processing device, which is applied to network equipment, and the device comprises:
the sending module is used for sending a control message to the controller after receiving a first message matched with the default flow table item, wherein the control message carries the first message and attack parameters of all messages matched with the default flow table item within a preset time;
the receiving module is used for receiving and storing the unknown discarding flow table item sent by the controller; the unknown discarding flow table entry is sent when the controller determines that the network device is attacked according to the attack parameter, and the unknown discarding flow table entry is used for discarding messages with source addresses which are not hit by the source address and the destination address of the first message;
the receiving module is further configured to receive a second packet matched with the unknown discarded flow table entry;
and the processing module is used for discarding the second message.
The application provides a message processing device, is applied to the controller, the device includes:
the receiving module is used for receiving a control message sent by network equipment, wherein the control message carries a first message matched with a default flow table item of the network equipment and attack parameters of all messages matched with the default flow table item within a preset time;
the determining module is used for determining that the network equipment is attacked according to the attack parameters;
a sending module, configured to send an unknown discard flow entry to the network device, where the unknown discard flow entry is used to discard a packet whose source address is a source address and a destination address of the first packet and is not hit; so that the network device discards the second packet matching the unknown discarded flow entry.
According to the technical scheme, in the embodiment of the application, when the network device sends the control message to the controller, the control message can carry attack parameters, so that the controller determines whether the network device is attacked or not according to the attack parameters, and if the network device is attacked, the controller sends the unknown discarded flow entry to the network device, so that the network device discards the message matched with the unknown discarded flow entry. In summary, when the host suspended from the network device sends a large number of unknown messages with changed destination addresses, the messages all match the unknown discarded flow table entries, that is, the network device discards the messages, and does not send a large number of control messages to the controller for the messages, thereby avoiding the controller from generating a large number of flow table entries in a short time, and thus saving the CPU resources of the controller and the network device, reducing the burden of the network device and the controller, and improving the reliability and stability of the network.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present application or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present application.
FIG. 1 is a schematic diagram of an application scenario in an embodiment of the present application;
FIG. 2 is a diagram illustrating forwarding flow entries and unknown discard flow entries in an embodiment of the present application;
fig. 3 is a flowchart of a message processing method according to an embodiment of the present application;
fig. 4 is a block diagram of a message processing apparatus according to an embodiment of the present application;
FIG. 5 is a diagram of a hardware configuration of a network device in one embodiment of the present application;
fig. 6 is a block diagram of a message processing apparatus according to another embodiment of the present application;
fig. 7 is a hardware configuration diagram of a controller according to an embodiment of the present application.
Detailed Description
The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in the embodiments of the present application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
An embodiment of the present application provides a message processing method, which may be applied to a system including a network device (e.g., a router, a switch, etc.) and a controller (e.g., an SDN controller, etc.), and is shown in fig. 1, which is an application scenario diagram of the embodiment of the present application. In fig. 1, 3 network devices are taken as an example for explanation, and in practical applications, the number of the network devices may be more, which is not limited to this. In addition, each network device may also have one or more hosts (e.g., VMs (virtual machines), etc.) suspended therefrom, without limitation to the number of hosts.
In an example, in order to instruct the network device to process the packet (such as forwarding processing, discarding processing, and the like), the controller may issue three types of flow entries to the network device, which may be a forwarding flow entry, a default flow entry, and an unknown discarding flow entry, and the three types of flow entries are briefly described below.
1. And forwarding the flow table entry, namely the ordinary flow table entry. The matching options for the forwarding flow entry may include, but are not limited to: a source address (e.g., a source IP address, a source MAC (Media Access Control) address, a source port, etc.), a destination address (e.g., a destination IP address, a destination MAC address, a destination port, etc.), an ingress interface, a protocol type, etc., and an action option may be a certain egress interface. Therefore, after receiving the message matched with the forwarding flow entry, the network device can forward the message through the outgoing interface.
2. The default flow entry may also be referred to as a miss flow entry or a talbe miss flow entry. The matching option of the default flow entry may be null, that is, all the packets can be matched with the default flow entry, but the default flow entry has the lowest priority, that is, when a packet does not match a forwarding flow entry and an unknown discarding flow entry, the packet may be matched with the default flow entry. Additionally, the action option for the default flow entry may be the upload controller. Thus, after receiving the message matched with the default flow entry, the network device can encapsulate the message into a packet-in message and send the packet-in message to the controller.
3. The unknown discarding flow table entry is used for discarding messages with hit source addresses and miss destination addresses. For example, the matching option of the unknown discard flow entry includes a source address, and when the source address of the packet is the same as the source address of the unknown discard flow entry, but the destination address of the packet is different from the destination address of each forwarding flow entry, it indicates that the source address is hit, and the destination address is not hit.
In an example, in order to query a message with a hit source address and a miss destination address, the unknown discard flow entry may be implemented in a multi-level sub-entry manner, which is described in this embodiment by taking two levels of sub-entries as an example, that is, the unknown discard flow entry may include a first level sub-entry and a second level sub-entry.
Moreover, in order to store the first-level sub-table entry and the second-level sub-table entry, the network device may maintain two levels of flow tables, which are a first-level flow table and a second-level flow table, respectively, where the first-level flow table is used to store the first-level sub-table entry, and the second-level flow table is used to store the second-level sub-table entry.
To sum up, the matching option of the forwarding flow entry may include a destination address, and the action option may include a certain egress interface; of course, the above is only an example of forwarding the flow table entry, and no limitation is made to this. And the controller issues the forwarding flow table entry to the second-stage flow table of the network device. Referring to fig. 2, a flow table entry with the matching option being IP address 133 and a flow table entry with the matching option being IP address 134 are forwarding flow table entries, and a generation process of the forwarding flow table entry and a message processing process using the forwarding flow table entry are described in the following embodiments.
Wherein, the matching option of the first-level sub-table entry of the unknown discard flow table entry may include a source address, and the action option includes setting metadata (metadata); matching options for a second level sub-entry of the unknown discard flow entry may include the metadata, and action options may include discarding; of course, the above is only an example of unknown discarding flow entry, and no limitation is made to the content. And the controller issues the first-level sub-table items to a first-level flow table of the network device and issues the second-level sub-table items to a second-level flow table of the network device. Referring to fig. 2, the flow table entry whose matching option is IP address 131 is a first-level sub-table entry, and the flow table entry whose matching option is metadata 0X10 is a second-level sub-table entry, and a process of generating an unknown discarded flow table entry and a process of processing a message using the unknown discarded flow table entry are described in the following embodiments.
In the application scenario, referring to fig. 3, a flowchart of a message processing method is shown, and may include:
step 301, after receiving a first packet matching the default flow entry, the network device sends a control message (e.g., a packet-in message) to the controller, where the control message may carry the first packet and attack parameters of all packets matching the default flow entry within a preset time, such as a total number of packets and/or an actual rate of the packets.
After receiving the first packet, the network device may determine that the first packet matches the default flow entry when the first packet does not match the forwarding flow entry and the unknown discard flow entry. Referring to the above embodiments, the action option introduced to the default flow entry may be the upload controller, and therefore, the network device may encapsulate the first packet into a control message and upload the control message to the controller.
In one example, the default flow entry may include attack parameters, and the attack parameters in the default flow entry may be updated each time the network device receives a packet matching the default flow entry. For example, when the default flow entry includes the total number of packets, the network device may add 1 to the total number of packets each time a packet matching the default flow entry is received. For another example, when the default flow entry includes the total number of messages and the actual rate of the messages, the network device adds 1 to the total number of the messages after receiving the messages matched with the default flow entry each time, and obtains the actual rate of the messages by using the total number of the messages and the statistical time, assuming that 1200 messages matched with the default flow entry are received within 1 minute, the total number of the messages is 1200, and the actual rate of the messages is 20 per second.
The network device may periodically count the attack parameters, and in each period, first remove the attack parameters in the previous period (for example, clear the total number of messages and the actual rate of the messages), and then, after receiving the message matched with the default flow entry each time, the network device may update the attack parameters in the default flow entry.
In an example, before the network device sends the control message to the controller, the network device may further read the updated attack parameter from the default flow table entry, and generate the control message carrying the attack parameter. For example, the network device may read the total number of packets 1200 and the actual rate of the packets 20/sec from the default flow table entry, and generate a control message carrying the total number of packets 1200 and the actual rate of the packets 20/sec.
In addition to carrying the first packet and the attack parameter, the control message sent by the network device to the controller may also carry an ingress port, an upload reason, and the like, which is not limited to carrying the first packet and the attack parameter. Furthermore, attack parameters may be carried by the Experiment field of the control message. For example, the Experiment field includes exp _ type, experimenter _ data [0] and experimenter _ data [1], where the exp _ type is used to indicate that the Experiment field carries the total number of messages and the actual rate of the messages, the experimenter _ data [0] carries the total number of the messages, and the experimenter _ data [1] carries the actual rate of the messages.
Step 302, after receiving the control message, the controller analyzes the first message matched with the default flow entry of the network device and attack parameters of all messages matched with the default flow entry within a preset time from the control message.
Step 303, if the controller determines that the network device is attacked according to the attack parameter, an unknown discard flow entry is sent to the network device, where the unknown discard flow entry is used to discard a packet whose source address is the source address of the first packet and whose destination address is not hit, so that the network device discards a packet matching the unknown discard flow entry.
In one example, the controller determining that the network device is attacked according to the attack parameter may include: if the attack parameter is the total number of the messages and the total number of the messages is larger than a first number threshold value, the controller determines that the network equipment is attacked; and if the total number of the messages is not greater than the first number threshold value, the controller determines that the network equipment is not attacked. Or, if the attack parameter is the actual rate of the message, and the actual rate of the message is greater than the first rate threshold, the controller determines that the network device is attacked; and if the actual speed of the message is not greater than the first speed threshold value, the controller determines that the network equipment is not attacked. Or, if the attack parameters are the total number of the messages and the actual rate of the messages, and the total number of the messages is greater than a second number threshold value, and the actual rate of the messages is greater than a second rate threshold value, the controller determines that the network equipment is attacked; and if the total number of the messages is not greater than the second number threshold and/or the actual rate of the messages is not greater than the second rate threshold, the controller determines that the network equipment is not attacked.
After the controller analyzes the first packet and the attack parameter from the control message, a flow table entry may be generated and sent to the network device, and this process may include the following three cases:
in case one, if it is determined that the network device is not attacked according to the attack parameter, the controller may generate a forwarding flow entry and send the forwarding flow entry to the network device. For example, if the attack parameters are the total number of messages 60 and the actual rate of the messages 1/second, it is determined that the network device is not attacked if the total number of the messages 60 is not greater than the second number threshold and the actual rate of the messages 1/second is not greater than the second rate threshold. Assuming that the first packet is a packet sent by the host 131 to the host 133, that is, the source IP address of the first packet is the IP address 131, and the destination IP address is the IP address 133, a forwarding flow table entry shown in fig. 2 is generated, the matching option of the forwarding flow table entry is the IP address 133, the action option is the egress interface 1211 (an interface on the network device 121 connected to the network device 122, which is not shown in fig. 1), and the forwarding flow table entry is stored in the second-level flow table.
If the network equipment is determined to be attacked according to the attack parameters, the controller acquires a first quantity of all messages which are received within preset time and matched with a default flow table item of the network equipment and a second quantity of messages which correspond to a source address of the first message in all messages; if the ratio of the second quantity to the first quantity is not greater than the ratio threshold, a forwarding flow entry may be generated and sent to the network device.
For example, if the attack parameters are the total number of messages 1200 and the actual rate of messages 20/sec, assuming that the total number of messages 1200 is greater than the second number threshold and the actual rate of messages 20/sec is greater than the second rate threshold, the controller may determine that the network device is attacked. Assume that the first packet is a packet sent by the host 132 to the host 134, that is, the source IP address of the first packet is the IP address 132, and the destination IP address is the IP address 134.
Referring to fig. 1, assuming that host 131 attacks and host 132 does not attack, host 131 sends a large number of messages matching the default flow table entry (the destination IP address of these messages is arbitrarily constructed by host 131), and host 132 sends only a small number of messages matching the default flow table entry (e.g., the first message to access host 133, the first message to access host 134, the first message to access host 135, etc.).
Based on this, the controller may analyze whether the host corresponding to the source IP address of the first packet is an attack source. For example, after receiving the first packet, the controller updates the first number, such as 1200, of all packets sent by the network device 121, and updates the second number, such as 3, of the packets corresponding to the IP address 132, and assuming that the ratio of the second number 3 to the first number 1200 is smaller than the ratio threshold, it is determined that the host 132 corresponding to the IP address 132 is not the attack source, so the controller may generate the forwarding flow table entry shown in fig. 2, where a matching option of the forwarding flow table entry is the IP address 134, an action option is the egress interface 1212 (an interface on the network device 121 connected to the network device 123, which is not shown in fig. 1), and the forwarding flow table entry is stored in the second-level flow table.
If the network equipment is determined to be attacked according to the attack parameters, the controller obtains a first quantity of all messages which are received within a preset time and matched with the default flow table items of the network equipment, and a second quantity of the messages of which the source addresses are the same as the source addresses of the first messages in all the messages; and if the ratio of the second quantity to the first quantity is greater than the ratio threshold, generating an unknown discarded flow entry, and sending the unknown discarded flow entry to the network device. The unknown discard flow entry may include a first-level sub-entry and a second-level sub-entry; the matching option of the first-level sub-table entry may include a source address of the first message, and the action option may include setting metadata; the matching option of the second level sub-table entry may include the metadata, and the action option may include discarding.
The third case is similar to the second case, and the difference is explained below. Assume that the first packet is an attack packet sent by the host 131, that is, the source IP address of the first packet is the IP address 131, and the destination IP address is the IP address X constructed by the host 131. After receiving the first packet, the controller updates the first number of all packets sent by the network device 121, such as 1200, updates the second number of packets corresponding to the IP address 131, such as 1197, and determines that the host 131 corresponding to the IP address 131 is an attack source if the ratio of the second number 1197 to the first number 1200 is greater than a ratio threshold, so that the controller may generate the unknown discard flow entry shown in fig. 2.
Wherein, the matching option of the first-level sub-entry of the unknown discarded flow entry is IP address 131, the action option is set metadata 0X10, and the flow table processing is skipped to the second-level flow table processing. Furthermore, the matching option of the second-level sub-entry of the unknown discard flow entry is metadata 0X10 (not IP address X), and the action option is discard.
In the second and third cases, the controller may update the first number of all the messages each time after receiving the first message sent by the network device 121, and the second number of the messages corresponding to the source address of the first message, for example, adding 1 to the current first number, and adding 1 to the current second number, which is not limited in this process.
The controller may periodically count the first number of all the messages and the second number of the messages corresponding to each source address, and in each period, clear the first number and the second number of the previous period, that is, clear the first number of the previous period by 0, and clear the second number of the messages corresponding to each source address by 0. Then, the controller may update the first number and the second number each time the controller receives the first packet sent by the network device 121.
The period of the first number and the period of the second number counted by the controller are the same as the period of the attack parameter counted by the network device, and the preset time in the second case/the third case is the same as the preset time in step 301, for example, 3 minutes. For example, time a-time B is a statistical period of 3 minutes, network device 121 may count attack parameters at time a-time B, and the controller may count the first number and the second number at time a-time B.
Step 304, the network device receives and stores an unknown discard flow entry sent by the controller, where the unknown discard flow entry is used to discard a message whose source address is a source address and a destination address of the first message and is not hit.
As shown in the first and second cases, after receiving the forwarding flow entry, the network device stores the forwarding flow entry in the second-stage flow table, which is shown in fig. 2. As shown in case three, after receiving the unknown discarded flow entry, the network device may store a first-level sub-entry of the unknown discarded flow entry in the first-level flow table, and store a second-level sub-entry of the unknown discarded flow entry in the second-level flow table, as shown in fig. 2.
Step 305, after receiving the second packet matching with the unknown discard flow entry, the network device discards the second packet. The second message is a message with a hit source address and a miss destination address.
The receiving, by the network device, the second packet matched with the unknown discard flow entry may include: after receiving a second message, the network device queries a first-level flow table through a source address of the second message, and if a first-level sub-table entry in the first-level flow table is hit (namely the first-level sub-table entry of an unknown discarded flow table entry), sets metadata in the first-level sub-table entry for the second message; and querying a second-stage flow table through the destination address of the second message, if all the entries in the second-stage flow table (such as all forwarding flow entries and second-stage sub-entries of the unknown discarded flow entry) are not hit, querying the second-stage flow table through metadata set for the second message, and if the second-stage sub-entries in the second-stage flow table (namely the second-stage sub-entries of the unknown discarded flow entry) are hit, determining that the second message is matched with the unknown discarded flow entry.
For example, for message 1 sent by host 132 to host 134, the source IP address is IP address 132 and the destination IP address is IP address 134. Referring to fig. 2, after receiving message 1, network device 121 queries the first-level flow table through IP address 132. Since there is no entry matching with IP address 132, the second-level flow table is queried by default via destination IP address 134, and since there is an entry matching with IP address 134, its action option is egress interface 1212, so message 1 can be sent via egress interface 1212.
For example, for message 2 sent by host 131 to host 133, the source IP address is IP address 131 and the destination IP address is IP address 133. Referring to fig. 2, after receiving message 2, network device 121 queries the first-level flow table through IP address 131. Since there is an entry matching IP address 131, metadata 0X10 is set for packet 2 and the flow table process jumps to the second level. After jumping to the second-level flow table, the second-level flow table is queried through the destination IP address (e.g., IP address 133), and since there is an entry matching with IP address 133, the action option is egress interface 1211, so that message 2 can be sent through egress interface 1211 without performing a query operation using metadata 0X 10.
For example, for the attack packet 3 sent by the host 131, the source IP address is the IP address 131, and the destination IP address is the IP address Y constructed by the host 131. Referring to fig. 2, after receiving message 3, network device 121 queries the first-level flow table through IP address 131. Since there is an entry matching IP address 131, metadata 0X10 is set for packet 3 and the flow table process jumps to the second level. After jumping to the second-stage flow table for processing, querying the second-stage flow table through a destination IP address (such as IP address Y), wherein the destination IP address is not hit because all entries are not hit, and therefore, querying the second-stage flow table through metadata 0X10 set for packet 3, because an entry matching metadata 0X10 exists, the action option is to discard, and thus, packet 3 is discarded and no forwarding is performed.
Obviously, if the host 131 is infected with a virus, which causes the host 131 to construct a large number of attack messages with changed destination IP addresses, the processing process of these attack messages is similar to that of the message 3, that is, these attack messages are discarded by the network device 121, and the network device 121 does not send a large number of control messages to the controller for these attack messages, so as to avoid the controller from generating a large number of flow entries in a short time, thereby saving the CPU resources of the controller and the CPU resources of the network device, reducing the burden of the network device and the controller, and improving the reliability and stability of the network.
In the above embodiment, an aging timer may also be set for the unknown discard flow entry, and the aging time of the aging timer may be configured empirically, for example, 600 seconds. Before the aging timer is overtime, the network equipment can update the aging time of the aging timer when receiving the message matched with the unknown discarding flow table item each time; after the aging timer expires, the unknown discarded flow entry may be deleted.
In the above embodiment, the controller may further determine a maximum uploading rate of the network device, and send the maximum uploading rate to the network device, and after receiving the maximum uploading rate, the network device may further store the maximum uploading rate in the default flow entry. Based on this, after receiving the first packet matching the default flow entry, the network device may first determine whether the rate of sending the control message to the controller has reached the maximum sending rate before the network device sends the control message to the controller. If yes, forbidding sending the control message to the controller; if not, the network device sends a control message to the controller.
For example, the maximum uploading rate is 10/sec, after receiving a first packet matched with the default flow entry, the network device determines whether the rate of sending the control message to the controller has reached 10/sec, if not, the network device sends the control message carrying the first packet to the controller, and if so, the network device directly discards the first packet and does not send the control message carrying the first packet to the controller any more.
The determining, by the controller, the maximum uplink rate of the network device may include: the maximum upload rate may be an empirical value, such as 10/sec, and the controller may directly determine that the maximum upload rate of the network device is 10/sec. Or, the controller may determine the maximum sending rate of the network device according to the load condition of the controller; for example, when the CPU resource of the controller is more, the maximum upload rate may be larger, and when the CPU resource of the controller is less, the maximum upload rate may be smaller; for another example, when there are fewer tasks to be processed by the controller, the maximum upload rate may be greater, and when there are more tasks to be processed by the controller, the maximum upload rate may be smaller. Of course, the above are just two examples of determining the maximum upload rate, and no limitation is made to this.
Moreover, when the maximum uploading rate is determined according to the load condition, the maximum uploading rate of the network equipment can be dynamically adjusted based on the change of the load condition. For example, when the CPU resource of the controller increases, the maximum uplink rate of the network device may also be increased, and when the CPU resource of the controller decreases, the maximum uplink rate of the network device may also be decreased, so as to dynamically adjust the maximum uplink rate, which is not described in detail herein.
An Instruction set of a meter type may be added to the default flow table entry, and the Instruction set may include a meter table for storing the maximum uploading rate.
In the above embodiment, after determining that the network device is attacked according to the attack parameter, the controller may further send an alarm message to the cloud management platform, where the alarm message may carry one or more of the following contents: attack parameters, a source address of the first message (i.e. an IP address of an attack source) matched with the default flow table entry, and attack time. Therefore, the cloud management platform can send an attack alarm to the user, isolate the host or eliminate viruses, and after the host is recovered, the unknown discarded flow table entry is aged due to timeout, so that the service of the host is recovered.
In practical application, the network device and the controller periodically send Echo (loopback) messages to verify the validity of the connection. For example, the network device periodically sends an Echo request message, and if the Echo reply message is not received within a preset time, the network device is disconnected from the controller; and if the controller does not receive the Echo request message within the preset time, disconnecting the controller from the network equipment.
In the conventional method, because both the controller and the network device need to process a large number of forwarding flow entries in a short time, a large amount of CPU resources are consumed, so that Echo messages cannot be processed for a long time, and the connection between the network device and the controller is interrupted. In the embodiment of the application, because the network device does not send a large amount of control messages to the controller for a large amount of attack messages, the controller is prevented from generating a large amount of flow table entries in a short time, the CPU resources of the controller and the network device are saved, and the burden of the controller and the network device is relieved, so that the controller and the network device can process Echo messages in time, and the connection interruption between the network device and the controller is avoided.
Based on the same concept as the method described above, an embodiment of the present application further provides a packet processing apparatus, which can be applied to a network device, and as shown in fig. 4, is a structure diagram of the apparatus, where the apparatus specifically includes:
a sending module 401, configured to send a control message to the controller after receiving a first packet matching the default flow entry, where the control message carries the first packet and attack parameters of all packets matching the default flow entry within a preset time;
a receiving module 402, configured to receive and store an unknown discard flow entry sent by a controller; the unknown discarding flow table entry is sent when the controller determines that the network device is attacked according to the attack parameter, and the unknown discarding flow table entry is used for discarding messages with source addresses which are not hit by the source address and the destination address of the first message;
the receiving module 402 is further configured to receive a second packet matching the unknown discard flow entry;
a processing module 403, configured to discard the second packet.
The unknown discarded flow table entry comprises a first-level sub-table entry and a second-level sub-table entry; the matching option of the first-level sub-table item comprises a source address of the first message, and the action option comprises setting metadata; the matching option of the second-level sub-table item comprises the metadata, and the action option comprises discarding; the first-level sub table entry is stored in a first-level flow table, and the second-level sub table entry is stored in a second-level flow table;
the receiving module 402 is specifically configured to, when receiving the second packet matching the unknown discard flow entry: after receiving a second message, querying the first-level flow table through a source address of the second message, and if the first-level sub-table entry in the first-level flow table is hit, setting the metadata for the second message; and querying the second-stage flow table through the destination address of the second message, querying the second-stage flow table through metadata set for the second message if all the table entries in the second-stage flow table are not hit, and determining that the second message is matched with the unknown discarded flow table entry if the second-stage sub-table entries in the second-stage flow table are hit.
In the network device provided in the embodiment of the present application, from a hardware level, a schematic diagram of a hardware architecture may specifically refer to fig. 5. The method comprises the following steps: a machine-readable storage medium and a processor, wherein:
a machine-readable storage medium: the instruction code is stored.
A processor: the message processing method comprises the steps of communicating with a machine-readable storage medium, reading and executing the instruction codes stored in the machine-readable storage medium, and realizing the message processing operation disclosed by the above example of the application.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
Based on the same concept as the above method, an embodiment of the present application further provides a message processing apparatus, which can be applied to a controller, and as shown in fig. 6, is a structural diagram of the apparatus, where the apparatus specifically includes:
a receiving module 601, configured to receive a control message sent by a network device, where the control message carries a first packet matched with a default flow entry of the network device and attack parameters of all packets matched with the default flow entry within a preset time;
a determining module 602, configured to determine that the network device is attacked according to the attack parameter;
a sending module 603, configured to send an unknown discard flow entry to the network device, where the unknown discard flow entry is used to discard a packet whose source address is a source address and a destination address of the first packet and is not hit; so that the network device discards the second packet matching the unknown discarded flow entry.
The attack parameters include: the total number of messages and/or the actual rate of the messages;
the determining module 602 is specifically configured to, when determining that the network device is attacked according to the attack parameter: if the attack parameter is the total number of the messages and the total number of the messages is larger than a first number threshold value, determining that the network equipment is attacked; or, if the attack parameter is the actual rate of the message, and the actual rate of the message is greater than a first rate threshold, determining that the network device is attacked; or, if the attack parameters are the total number of the messages and the actual rate of the messages, and the total number of the messages is greater than a second number threshold value, and the actual rate of the messages is greater than a second rate threshold value, determining that the network device is attacked.
In one example, the message processing apparatus further includes (not shown in the figure):
the generating module is used for acquiring a first quantity of all messages which are received within preset time and matched with the default flow table item of the network equipment, and a second quantity of messages with source addresses identical to the source address of the first message in all the messages; and if the ratio of the second quantity to the first quantity is greater than a ratio threshold, generating the unknown discarded flow table entry.
For the controller provided in the embodiment of the present application, from a hardware level, a schematic diagram of a hardware architecture may specifically refer to fig. 7. The method comprises the following steps: a machine-readable storage medium and a processor, wherein:
a machine-readable storage medium: the instruction code is stored.
A processor: the message processing method comprises the steps of communicating with a machine-readable storage medium, reading and executing the instruction codes stored in the machine-readable storage medium, and realizing the message processing operation disclosed by the above example of the application.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (15)

1. A message processing method is applied to network equipment, and is characterized in that the method comprises the following steps:
after receiving a first message matched with a default flow entry, sending a control message to a controller, wherein the control message carries the first message and attack parameters of all messages matched with the default flow entry within a preset time; the matching option of the default flow table entry is null, the default flow table entry has the lowest priority, and when the message is not matched with the forwarding flow table entry and the unknown discarding flow table entry, the message is matched with the default flow table entry;
receiving and storing an unknown discarding flow table item sent by a controller; the unknown discarding flow table entry is sent when the controller determines that the network device is attacked according to the attack parameter, and the unknown discarding flow table entry is used for discarding a message with a source address which is a source address and a destination address which are not hit in the first message;
and after receiving a second message matched with the unknown discarding flow table item, discarding the second message.
2. The method of claim 1, wherein after receiving the first packet matching the default flow entry, prior to sending the control message to the controller, the method further comprises:
updating the attack parameters in the default flow table entry; reading the updated attack parameters from the default flow table entry, and generating a control message carrying the updated attack parameters;
wherein the attack parameters include: total number of messages and/or actual rate of messages.
3. The method of claim 1, wherein the default flow entry further comprises a maximum upload rate; before the sending the control message to the controller, the method further includes:
judging whether the rate of sending the control message to the controller reaches the maximum sending rate;
if so, prohibiting sending the control message to the controller;
and if not, executing the operation of sending the control message to the controller.
4. The method of claim 1,
the unknown discarded flow table entry comprises a first-level sub-table entry and a second-level sub-table entry; the matching option of the first-level sub-table item comprises a source address of the first message, and the action option comprises setting metadata; the matching option of the second-level sub-table item comprises the metadata, and the action option comprises discarding; the first-level sub table entry is stored in a first-level flow table, and the second-level sub table entry is stored in a second-level flow table;
the receiving of the second packet matched with the unknown discard flow entry includes:
after receiving a second message, querying the first-level flow table through a source address of the second message, and if the first-level sub-table entry in the first-level flow table is hit, setting the metadata for the second message; and querying the second-stage flow table through the destination address of the second message, querying the second-stage flow table through metadata set for the second message if all the table entries in the second-stage flow table are not hit, and determining that the second message is matched with the unknown discarded flow table entry if the second-stage sub-table entries in the second-stage flow table are hit.
5. A message processing method is applied to a controller, and the method comprises the following steps:
receiving a control message sent by a network device, wherein the control message carries a first message matched with a default flow table item of the network device and attack parameters of all messages matched with the default flow table item within a preset time; the matching option of the default flow table entry is null, the default flow table entry has the lowest priority, and when the message is not matched with the forwarding flow table entry and the unknown discarding flow table entry, the message is matched with the default flow table entry;
if the network equipment is determined to be attacked according to the attack parameters, sending an unknown discarded flow entry to the network equipment, wherein the unknown discarded flow entry is used for discarding the messages with the source addresses being the source addresses and the destination addresses of the first messages which are not hit; and the network equipment discards the second message matched with the unknown discarding flow table entry.
6. The method of claim 5, wherein the attack parameters comprise: the total number of messages and/or the actual rate of the messages; the determining that the network device is attacked according to the attack parameters includes:
if the attack parameter is the total number of the messages and the total number of the messages is larger than a first number threshold value, determining that the network equipment is attacked; or, if the attack parameter is the actual rate of the message, and the actual rate of the message is greater than a first rate threshold, determining that the network device is attacked; or, if the attack parameters are the total number of the messages and the actual rate of the messages, and the total number of the messages is greater than a second number threshold value, and the actual rate of the messages is greater than a second rate threshold value, determining that the network device is attacked.
7. The method of claim 5,
before sending the unknown discard flow entry to the network device, the method further includes:
acquiring a first quantity of all messages which are received within a preset time and matched with a default flow table item of the network equipment, and a second quantity of messages of which the source addresses are the same as those of the first message in all the messages; and if the ratio of the second quantity to the first quantity is greater than a ratio threshold, generating the unknown discarded flow table entry.
8. The method according to claim 5 or 7,
the unknown discarded flow table entry comprises a first-level sub-table entry and a second-level sub-table entry; the matching option of the first-level sub-table item comprises a source address of the first message, and the action option comprises setting metadata; the matching option of the second-level sub-table item comprises the metadata, and the action option comprises discarding;
the sending the unknown discard flow entry to the network device includes: and issuing the first-level sub-table items to a first-level flow table of the network equipment, and issuing the second-level sub-table items to a second-level flow table of the network equipment.
9. The method of claim 5, further comprising:
and determining the maximum uploading rate of the network equipment, and sending the maximum uploading rate to the network equipment so that the network equipment sends a control message to a controller according to the maximum uploading rate.
10. The method of claim 5,
after determining that the network device is attacked according to the attack parameters, the method further includes:
sending an alarm message to a cloud management platform, wherein the alarm message carries one or more of the following contents: the attack parameter, the source address of the first message matched with the default flow table entry and the attack time.
11. A message processing apparatus, applied to a network device, the apparatus comprising:
the sending module is used for sending a control message to the controller after receiving a first message matched with the default flow table item, wherein the control message carries the first message and attack parameters of all messages matched with the default flow table item within a preset time; the matching option of the default flow table entry is null, the default flow table entry has the lowest priority, and when the message is not matched with the forwarding flow table entry and the unknown discarding flow table entry, the message is matched with the default flow table entry;
the receiving module is used for receiving and storing the unknown discarding flow table item sent by the controller; the unknown discarding flow table entry is sent when the controller determines that the network device is attacked according to the attack parameter, and the unknown discarding flow table entry is used for discarding messages with source addresses which are not hit by the source address and the destination address of the first message;
the receiving module is further configured to receive a second packet matched with the unknown discarded flow table entry;
and the processing module is used for discarding the second message.
12. The apparatus of claim 11,
the unknown discarded flow table entry comprises a first-level sub-table entry and a second-level sub-table entry; the matching option of the first-level sub-table item comprises a source address of the first message, and the action option comprises setting metadata; the matching option of the second-level sub-table item comprises the metadata, and the action option comprises discarding; the first-level sub table entry is stored in a first-level flow table, and the second-level sub table entry is stored in a second-level flow table;
the receiving module is specifically configured to, when receiving the second packet matching the unknown discard flow entry: after receiving a second message, querying the first-level flow table through a source address of the second message, and if the first-level sub-table entry in the first-level flow table is hit, setting the metadata for the second message; and querying the second-stage flow table through the destination address of the second message, querying the second-stage flow table through metadata set for the second message if all the table entries in the second-stage flow table are not hit, and determining that the second message is matched with the unknown discarded flow table entry if the second-stage sub-table entries in the second-stage flow table are hit.
13. A message processing apparatus, for application to a controller, the apparatus comprising:
the receiving module is used for receiving a control message sent by network equipment, wherein the control message carries a first message matched with a default flow table item of the network equipment and attack parameters of all messages matched with the default flow table item within a preset time; the matching option of the default flow table entry is null, the default flow table entry has the lowest priority, and when the message is not matched with the forwarding flow table entry and the unknown discarding flow table entry, the message is matched with the default flow table entry;
the determining module is used for determining that the network equipment is attacked according to the attack parameters;
a sending module, configured to send an unknown discard flow entry to the network device, where the unknown discard flow entry is used to discard a packet whose source address is a source address and a destination address of the first packet and is not hit; so that the network device discards the second packet matching the unknown discarded flow entry.
14. The apparatus of claim 13,
the attack parameters include: the total number of messages and/or the actual rate of the messages;
the determining module is specifically configured to, when the network device is attacked according to the attack parameter: if the attack parameter is the total number of the messages and the total number of the messages is larger than a first number threshold value, determining that the network equipment is attacked; or, if the attack parameter is the actual rate of the message, and the actual rate of the message is greater than a first rate threshold, determining that the network device is attacked; or, if the attack parameters are the total number of the messages and the actual rate of the messages, and the total number of the messages is greater than a second number threshold value, and the actual rate of the messages is greater than a second rate threshold value, determining that the network device is attacked.
15. The apparatus of claim 13, further comprising:
the generating module is used for acquiring a first quantity of all messages which are received within preset time and matched with the default flow table item of the network equipment, and a second quantity of messages with source addresses identical to the source address of the first message in all the messages; and if the ratio of the second quantity to the first quantity is greater than a ratio threshold, generating the unknown discarded flow table entry.
CN201810223650.0A 2018-03-19 2018-03-19 Message processing method and device Active CN108566344B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810223650.0A CN108566344B (en) 2018-03-19 2018-03-19 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810223650.0A CN108566344B (en) 2018-03-19 2018-03-19 Message processing method and device

Publications (2)

Publication Number Publication Date
CN108566344A CN108566344A (en) 2018-09-21
CN108566344B true CN108566344B (en) 2022-01-25

Family

ID=63531683

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810223650.0A Active CN108566344B (en) 2018-03-19 2018-03-19 Message processing method and device

Country Status (1)

Country Link
CN (1) CN108566344B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392034B (en) * 2018-09-28 2020-10-13 新华三信息安全技术有限公司 Message processing method and device
CN111935243B (en) * 2020-07-17 2023-06-30 杭州海康机器人股份有限公司 Data information transmission method, device, system and equipment
CN113783857B (en) * 2021-08-31 2023-11-07 新华三信息安全技术有限公司 Anti-attack method, device, equipment and machine-readable storage medium
CN114143089B (en) * 2021-11-30 2024-02-09 迈普通信技术股份有限公司 Message processing method, device, network equipment and computer readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105474602B (en) * 2014-06-17 2019-02-05 华为技术有限公司 The method, apparatus and equipment of attack stream are identified in software defined network
CN105592055A (en) * 2015-09-18 2016-05-18 杭州华三通信技术有限公司 Anti-attack method and device for TCP SYN FLOOD
CN105763465B (en) * 2016-01-29 2019-01-22 新华三技术有限公司 A kind of distributed group interflow amount control method and device
CN106060085B (en) * 2016-07-15 2019-09-17 新华三技术有限公司 Prevent ARP message aggression method and device

Also Published As

Publication number Publication date
CN108566344A (en) 2018-09-21

Similar Documents

Publication Publication Date Title
CN108566344B (en) Message processing method and device
US10742722B2 (en) Server load balancing
CN108667853B (en) Malicious attack detection method and device
CN107786450B (en) Data message transmission method and device and machine-readable storage medium
KR102536676B1 (en) Packet processing method and apparatus, and related devices
CN107547391B (en) Message transmission method and device
CN108259347B (en) Message transmission method and device
CN108390954B (en) Message transmission method and device
CN108134748B (en) Packet loss method and device based on fast forwarding table entry
CN108600109B (en) Message forwarding method and device
EP3179687B1 (en) Network flow information statistics method and apparatus
US10104000B2 (en) Reducing control plane overload of a network device
CN104580107A (en) Hostile attack detection method and controller
CN103428185B (en) Packet filtering/method for limiting speed, system and device
CN114244752A (en) Flow statistical method, device and equipment
CN106789671B (en) Service message forwarding method and device
CN107332773B (en) Method for learning ARP table entry and PTN equipment
CN107528929B (en) ARP (Address resolution protocol) entry processing method and device
US11005884B2 (en) Denial of service mitigation with two-tier hash
CN114070798B (en) Message transmission method, device and equipment
CN110365667B (en) Attack message protection method and device and electronic equipment
CN108259454B (en) Portal authentication method and device
CN107046503B (en) Message transmission method, system and device
CN111385278A (en) Message forwarding method and device
CN109005120B (en) Message processing method and network equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant